Parsing for the "Authorization" header is done outside the try/finally block, in StashAuthenticationFilter, but the code may throw a BadCredentialsException if the header is not valid. Since this is outside the exception handling, it results in a 500 error instead of a 401. This is particularly problematic for git hosting operations, which abort after a 500 instead of prompting for credentials like they would on a 401.